Privacy Policy

Atlas acts in a mixed role. Atlas is generally the controller for public website inquiries, direct business communications, account administration that Atlas manages for its own service, security logs, fraud prevention, and product analytics that Atlas uses to operate, secure, and improve the service.

For customer operational records in the product, including workforce accounts provisioned by the customer, delivery notes, warehouse assignments, measurement records, audit evidence, loading records, and related media, Atlas generally acts as a processor or service provider on behalf of the relevant customer organization. In those cases, the customer decides the business purpose for the data and Atlas processes the data under the customer contract and DPA.

• Account and identity data, such as name, email address, user ID, role, warehouse assignment, password-reset state, and two-factor authentication state.
• Operational and audit data, such as delivery-note records, log tags, stack and vessel references, driver and truck details entered by customers, timestamps, comments, and workflow history.
• Photo and scan evidence, such as audit photos, measurement photos, barcode or QR scan results, and uploaded file metadata.
• Device, network, and diagnostic data, such as IP address, browser or app version, device characteristics, crash reports, performance metrics, error telemetry, request identifiers, and approximate session timestamps.
• Website, cookie, and local-storage data, such as locale, consent preferences, theme, warehouse selection, table preferences, temporary draft state, and other product settings stored on the device.
• Support and communications data, such as messages sent through the website or support channels and records of customer requests.

Atlas receives data from customer administrators, business users, warehouse workers, auditors, and other authorized personnel who use the service.

Atlas also receives data automatically from browsers, mobile devices, application instrumentation, authentication flows, security checks, and service providers that support hosting, storage, diagnostics, analytics, and communications.

• To authenticate users, enforce role-based access, assign warehouse scope, protect accounts, and operate password-reset and two-factor flows.
• To deliver core warehouse and logistics workflows, including measurement, auditing, loading, reporting, and attachment handling.
• To support offline use, sync queued work, recover from service interruption, and maintain auditability and chain-of-custody records.
• To secure the services, investigate abuse or incidents, troubleshoot defects, monitor availability and performance, and improve reliability.
• To respond to inquiries, provide customer support, comply with law, enforce contracts, and defend legal claims.

Where Atlas acts as controller, Atlas generally relies on contract necessity, legitimate interests in operating and securing the service, consent for non-essential analytics or similar technologies where required, and legal obligations where applicable. Where Atlas acts as processor or service provider, Atlas processes customer data under the customer instructions and the applicable customer agreement.

Atlas discloses personal data only to the extent needed to run the service, comply with law, or support customer instructions.

• Customer organizations and their authorized administrators, managers, and users.
• Hosting and infrastructure providers, including Vercel for the web application and Amazon Web Services for backend infrastructure, storage, and related service components.
• Security and anti-abuse providers, including Cloudflare Turnstile for bot and abuse checks on sensitive auth flows.
• Analytics and diagnostics providers, including PostHog for product analytics and Google Firebase Analytics, Crashlytics, and Performance Monitoring for Android diagnostics and app telemetry.
• Email and communications infrastructure used to send password resets, account notices, and support communications.
• Professional advisers, regulators, courts, law enforcement, or transaction counterparties where disclosure is legally required or reasonably necessary.

Atlas may process or store data in countries outside the country where the data was collected. Where transfer rules apply, Atlas uses appropriate safeguards such as contractual transfer clauses and supplementary measures where required.

Atlas retains controller-side data for as long as needed to handle inquiries, administer accounts, secure the services, maintain business records, and meet legal obligations.

Customer-content retention is primarily governed by customer instructions and the customer contract. Atlas does not treat workforce or operational records as consumer self-service accounts. Atlas exposes customer-configurable retention settings for some audit records, with a default audit retention setting of 365 days in current backend configuration, but customers and Atlas may agree to different retention schedules in contract or product settings.

Backups, logs, and security records may remain for limited periods after active records are deleted or returned. Atlas deletes or returns customer data at the end of the customer relationship in accordance with the customer agreement and DPA unless law requires longer retention.

If you submitted information directly through the public website, you may request access, correction, deletion, or another privacy action from Atlas directly.

If you use Atlas through your employer or another Atlas customer, that customer is usually the first point of contact for access, correction, deletion, restriction, or objection requests relating to service data. Atlas will support the customer as processor or service provider where the law requires it.

Atlas does not sell personal information and does not use Atlas service data for third-party advertising. Atlas also does not knowingly process child-directed data through the service.

Atlas uses strictly necessary cookies and similar storage for authentication, locale, security, consent preference, product settings, and temporary device-side state. Atlas also uses non-essential analytics technologies only after the user grants consent where consent is required.

On the web application, Atlas currently uses consent-gated PostHog analytics and consent-gated Vercel Speed Insights. The Android application uses Firebase Analytics, Crashlytics, Firebase Performance Monitoring, and PostHog. Mobile analytics are described in the app disclosures and this policy.

The Android application requests camera access for barcode or QR scanning and for capture of audit or measurement photos where the workflow requires photo evidence. Audit alerts require both a comment and a photo before submission.

The Android application stores authentication material in encrypted device storage, caches limited offline work and user context for resilience, and syncs queued work when connectivity returns. Devices used in the field should be protected with device-level security controls because locally stored operational data can remain on the device until sync or account removal.

Atlas uses role-based access controls, transport security, signed upload URLs, environment-based secret management, request tracing, service monitoring, and other reasonable technical and organizational measures designed for a warehouse-operations product. No system can be guaranteed perfectly secure, so Atlas also relies on customers to administer accounts, device controls, and warehouse access appropriately.

Atlas may update this Privacy Policy to reflect legal, technical, operational, or product changes. The current public version will remain available at this URL, and material changes may also be surfaced through the service or customer communications.